Miggo Logo

CVE-2017-1000424: Electron vulnerable to URL spoofing via PDFium

4.3

CVSS Score
3.0

Basic Information

EPSS Score
0.50497%
Published
5/13/2022
Updated
9/13/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
Electronnpm>= 1.7.0, < 1.7.61.7.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key issues: 1) Insecure URL construction in PDF resource handling that failed to properly escape user-controlled PDF URLs, allowing parameter injection. 2) Dangerous unescaping rules when parsing the PDF src parameter that permitted spoofable characters. The GitHub patch shows the addition of net::EscapeUrlEncodedData for proper encoding and removal of unsafe unescape rules, directly addressing these vulnerable code paths. The added test case verifying URL escaping confirms these were the attack vectors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*l**tron v*rsion *.*.* - *.*.* is vuln*r**l* to * URL Spoo*in* pro*l*m w**n op*nin* P**s in P**ium r*sultin* lo**in* *r*itr*ry P**s t**t * ***k*r **n *ontrol.

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) Ins**ur* URL *onstru*tion in P** r*sour** **n*lin* t**t **il** to prop*rly *s**p* us*r-*ontroll** P** URLs, *llowin* p*r*m*t*r inj**tion. *) **n**rous un*s**pin* rul*s w**n p*rsin* t** P** sr* p*r*m*t